Initiatives for
    
    As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
      
     
                  Reference:
Advisory #2024-10
Version:
1.0
Affected software:
Apache RocketMQ versions 5.0.0 through 5.1.1 and prior to 4.9.6
Type:
Remote Code Execution
CVE/CVSS:
CVE-2023-37582: CVSS 9.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc
CVE-2023-37582 is a RCE vulnerability in RocketMQ that is actively exploited. An attacker could exploit this vulnerability to gain Remote Code Execution as the system users that RocketMQ is running as. The weakness being exploited is CWE-94 Improper Control of generation of code.
Successful exploitation of this vulnerability affects the availability, confidentiality, and integrity highly.
It is important to mention that this vulnerability is related to a previous vulnerability CVE-2023-33246. CVE-2023-33246 was patched in May 2023 but did not completely solve the vulnerability in the Nameserver component. CVE-2023-33246 was added to the CISA KEV on 06/09/2023.
Note: CVE-2023-37582 has not been added to the CISA KEV. Since it is the same component that is still vulnerable, we assume that this vulnerability is actively exploited as well. This assumption is supported by info from The ShadowServer Foundation that has logged hundreds of hosts scanning and exploitation attempts for exposed RocketMQ systems.
Apache RocketMQ is a cloud-native "messaging, eventing, streaming" real-time data processing platform, covering cloud-edge-device.
CVE-2023-37582 is a vulnerability that affects the RocketMQ NameServer component. The same vulnerability was already mentioned in CVE-2023-33246. The patch that the vendor provided did not fully fix the vulnerability in the NameServer component.
An attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. This can only be done under specific conditions:
Affected versions:
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The patched versions are the following:
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.